Incorrect Period Start Calculation in BaseGauge::_updateWeights Function
Summary
The _updateWeights function in the BaseGauge contract miscalculates the nextPeriodStart for subsequent periods by incrementing the current period by 1 instead of 2. This error can lead to overlapping periods, causing inaccurate weight calculations and potential disruptions in contract operations.
Vulnerability Details
Issue: In the _updateWeights function, when updating weights for periods beyond the initial one, the
nextPeriodStartis calculated as ((currentTime / duration) + 1) * duration . This formula sets the start of the next period to the immediate next interval, which can overlap with the current period if the function is called near the end of the current period.
Root Cause: The miscalculation arises from adding 1 to the current period index (
currentTime / duration) instead of 2. This approach doesn't account for the need to skip the current period, leading to overlapping periods.
Impact
Overlapping Periods: The miscalculation can cause the new period to start before the current period ends, leading to overlapping periods. This overlap can result in inaccurate weight calculations, as multiple periods may be considered active simultaneously.
Tools Used
Manual Review.
Recommendations
Correct the Period Calculation: Modify the calculation of nextPeriodStart to add 2 to the current period index, ensuring the new period starts after the current one ends.
Lead Judging Commences
BaseGauge::updatePeriod uses ((currentTime / periodDuration) + 2) calculation causing entire reward periods to be skipped, resulting in permanent loss of user rewards
BaseGauge::updatePeriod uses ((currentTime / periodDuration) + 2) calculation causing entire reward periods to be skipped, resulting in permanent loss of user rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.